[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well

[Paul Vixie]

sthaug at nethelp.no wrote:
>> one ethics canary is "how would the world be if everyone did what i'm
>> considering doing?" and in this case the attackers would switch to some
>> other qtype than ANY, and continue as before. this would make it harder
>> to detect, and surreptitiously backtrack, these attacks, since they
>> would fade moreso into the background. a net loss for the defense.
>
> I'm very willing to believe that some attackers switch. However, the
> observed behavior from "my" name servers is that attackers continue
> using ANY queries in a significant majority of the cases. Only once in
> a while do we see attacks based on TXT or some other type of query.
>
> Thus from my point of view, restricting ANY queries (for instance by
> forcing truncation and switch to TCP) still seems like a net win.

you are not playing this game to win. think economics. think area under 
the curve.

> YMMV.

no. we will, together, live in the world that blocking ANY will create.

-- 
P Vixie